Critical Thinking - Bug Bounty Podcast

Episode 97: Bcrypt Hash Input Truncation & Mobile Device Threat Modeling

Nov 14, 2024

Dive into the world of cybersecurity as experts dissect recent vulnerabilities in bcrypt, revealing insights into multi-factor authentication risks. Explore the layered security challenges in mobile environments and learn about clever techniques for concealing payloads in URLs. The introduction of the Lightyear tool for PHP exploits highlights the importance of evolving security measures, while discussions on advanced XSS exploitation techniques underscore the need for robust web application defenses. It's a treasure trove of information for security enthusiasts!

53:05

Creator website

AI Summary

AI Chapters

Episode notes

Podcast summary created with Snipd AI

Quick takeaways

The discovery of a Bcrypt vulnerability highlights the risks of input truncation in authentication processes, emphasizing the need for rigorous security audits.

Current research into Android browsers reveals significant attack vectors that exploit interaction with schemas, raising concerns over mobile security oversight.

The introduction of tools like DOM Explorer accelerates the identification of XSS vulnerabilities, showcasing the essential role of graphical interfaces in security assessments.

Deep dives

Neglecting Internal Network Security

Many companies are failing to prioritize their internal network security, leaving their systems vulnerable to attacks. Once a hacker gains access to the external network, they often find minimal defenses within the internal environment, such as numerous accessible shares and weak or non-existent controls. This lack of oversight highlights the need for organizations to implement stringent internal security measures. Solutions like ThreatLocker's Network Control can help manage exposed ports on user machines and servers, effectively tightening security on the internal network.

Intro

2min

Vulnerabilities in Bcrypt and Mobile Security

18min

Concealing Payloads in URLs

10min

Navigating Tools and Knowledge in PHP Hacking

2min

Evolving Security Measures in PHP Filter Chains

2min

Exploring Security Configurations and New Opportunities in Attack Surface Management

2min

Advanced XSS Exploitation Techniques

18min

Episode 97: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel jump into some cool news items, including a recent Okta Bcrypt vulnerability, insights into crypto bugs, and some intricacies of Android and Chrome security. They also explore the latest research from Portswigger on payload concealment techniques, and the introduction of the Lightyear tool for PHP exploits.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Today’s Sponsor - ThreatLocker: Check out Network Control!

https://www.criticalthinkingpodcast.io/tl-nc

And AssetNote: Check out their ASMR board (no not that kind!)

https://assetnote.io/asmr

Resources

Okta bcrypt

Android Web Attack Surface Writeups

Concealing payloads in URL credentials

Dumping PHP files with Lightyear

Limit maximum number of filter chains

Dom-Explorer tool launched

MultiHTMLParse